Hi ,<div><br></div><div>Could you please help here.</div><div><br></div><div>Thanks and Regards,</div><div>Ravi<br><br><div class="gmail_quote">On Fri, Jan 11, 2013 at 1:02 PM, Ravikumar Chennaparapu <span dir="ltr"><<a href="mailto:ravikumar.ece@gmail.com" target="_blank">ravikumar.ece@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<div><br></div><div>We are trying to establish 4 IKE tunnels as below:</div><div><br></div><div><p class="MsoNormal">
<span style="color:blue">         172.29.88.2...172.17.11.56,</span></p>

<p class="MsoNormal"><span style="color:blue">          172.29.88.2... 172.16.11.55,</span></p>

<p class="MsoNormal"><span style="color:blue">          172.29.88.2... 172.18.11.57,</span></p>

<span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">          172.29.88.2... 10.69.196.246</span></div><div><br></div><div>Initiator Configuration</div><div>------------------------------------------------------------------------------------------------------</div>

<div>PSKs in "ipsec.secrets" file</div><div><br></div><div><p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 10.69.196.246 : PSK
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></p><p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue"><br></span></p><p class="MsoNormal" style="text-indent:47.25pt"></p>

<div style="text-indent:0px">Responder Configuration</div><div style="text-indent:0px">------------------------------------------------------------------------------------------------------</div><div style="text-indent:0px">

PSKs in "ipsec.secrets" file</div><p></p><p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue"><br></span></p><p class="MsoNormal" style="text-indent:47.25pt"></p><p class="MsoNormal" style="text-indent:47.25pt">

<span style="color:blue">172.29.88.2 172.16.11.55 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 172.17.11.56 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<p class="MsoNormal" style="text-indent:47.25pt"><span style="color:blue">172.29.88.2 172.18.11.57 : PSK
"~zyxwvutsrqponmlkjihgfedcba_][ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876"</span></p>

<b><span style="font-size:12.0pt;font-family:"Calibri","sans-serif";color:blue">                #</span><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">172.29.88.2 10.69.196.246 : PSK "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"</span></b><p>

</p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"><br></span></b></p><p class="MsoNormal" style="text-indent:47.25pt">

<b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">In this case, all IKE tunnels are not getting established due to "MAC mismatch" error on responder. </span></b></p>

<p class="MsoNormal" style="text-indent:47.25pt"><br></p><p class="MsoNormal" style="text-indent:47.25pt"></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">14[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">14[IKE] 172.29.88.2 is initiating an IKE_SA</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">14[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">14[NET] sending packet: from 172.18.11.57[500] to
172.29.88.2[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[CFG] looking for peer configs matching 172.18.11.57[%any]...172.29.88.2[172.29.88.2]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[CFG] selected peer config 'conn3'</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[IKE] tried 3 shared keys for '%any' - '172.29.88.2',<b> but MAC
mismatched</b></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">15[NET] sending packet: from 172.18.11.57[500] to
172.29.88.2[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">08[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">08[IKE] 172.29.88.2 is initiating an IKE_SA</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">08[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">08[NET] sending packet: from 172.18.11.57[500] to
172.29.88.2[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[CFG] selected peer config 'conn3'</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[IKE] tried 3 shared keys for '%any' - '172.29.88.2', but MAC
mismatched</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">07[NET] sending packet: from 172.18.11.57[500] to
172.29.88.2[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">10[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">10[IKE] 172.29.88.2 is initiating an IKE_SA</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">10[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">10[NET] sending packet: from 172.18.11.57[500] to
172.29.88.2[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">09[NET] received packet: from 172.29.88.2[500] to
172.18.11.57[500]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">09[CFG] looking for peer configs matching
172.18.11.57[%any]...172.29.88.2[172.29.88.2]</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">09[CFG] selected peer config 'conn3'</span></p>

<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">09[IKE] tried 3 shared
keys for '%any' - '172.29.88.2', but MAC mismatched</span><p></p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"><br>

</span></b></p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"> If we uncomment the last line in "ipsec.secrets" file in responder ,then all IKE  tunnels are established successfully. we think, initiator is only using the last PSK for all the IKE tunnles, though different PSK are configured for each. Could you please help us here.</span></b></p>

<p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"><br></span></b></p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">One more query, how to find the PSK being used during IKE negotiations? </span></b></p>

<p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"><br></span></b></p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">Thanks in Advance.</span></b></p>

<p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue"><br></span></b></p><p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">BR,</span></b></p>

<p class="MsoNormal" style="text-indent:47.25pt"><b><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:blue">Ravi</span></b></p></div>
</blockquote></div><br></div>